Cybersecurity firm SentinelOne has disclosed a sophisticated cyber espionage campaign orchestrated by a China-linked threat group known as PurpleHaze. This group has been implicated in reconnaissance activities targeting SentinelOne’s infrastructure and several of its high-profile clients.
The initial detection of PurpleHaze’s activities occurred in 2024 during an intrusion into an organization that previously provided hardware logistics services for SentinelOne employees. Security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter detailed these findings in a comprehensive analysis published on April 28, 2025.
PurpleHaze is believed to have affiliations with another state-sponsored entity, APT15, also known by various aliases including Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda. This connection suggests a broader network of coordinated cyber activities emanating from China.
In October 2024, PurpleHaze was observed targeting an undisclosed South Asian government-supporting organization. The group employed an operational relay box (ORB) network alongside a Windows-based backdoor named GoReShell. GoReShell, developed using the Go programming language, leverages an open-source tool called reverse_ssh to establish reverse SSH connections to systems under the attackers’ control.
The utilization of ORB networks is becoming increasingly prevalent among such threat actors. These networks can be rapidly expanded, creating a dynamic and evolving infrastructure that complicates the tracking and attribution of cyber espionage operations. This adaptability poses significant challenges for cybersecurity professionals attempting to monitor and mitigate such threats.
Further investigations revealed that the same South Asian government entity targeted by PurpleHaze in October 2024 had previously been attacked in June 2024 using ShadowPad, also known as PoisonPlug. ShadowPad is a backdoor widely utilized among China-affiliated espionage groups and is considered a successor to the PlugX malware.
Notably, ShadowPad has also been employed as a conduit to deliver ransomware in recent months, adding complexity to determining the exact motivations behind these attacks. The ShadowPad artifacts associated with these incidents were obfuscated using a custom compiler named ScatterBrain, further complicating detection and analysis efforts.
The overlap between the June and October 2024 activities suggests the possibility of a single threat actor orchestrating both campaigns. The ScatterBrain-obfuscated ShadowPad was reportedly used in intrusions targeting over 70 organizations across sectors such as manufacturing, government, finance, telecommunications, and research. These attacks likely exploited an N-day vulnerability in CheckPoint gateway devices, underscoring the importance of timely vulnerability management and patching practices.
Among the victims was the organization responsible for managing hardware logistics for SentinelOne employees. However, SentinelOne has stated that there is no evidence of a secondary compromise affecting its internal systems or data.
In addition to these Chinese-linked activities, SentinelOne has observed attempts by North Korea-aligned IT workers to infiltrate the company. These individuals, using approximately 360 fake personas, submitted over 1,000 job applications, including to SentinelLabs, the company’s intelligence engineering team. This highlights the persistent and diverse nature of cyber threats facing organizations today.
Furthermore, ransomware operators have targeted SentinelOne and other enterprise-focused security platforms, seeking to gain access to their tools to assess and enhance their malware’s ability to evade detection. This has given rise to an underground economy centered around the acquisition and rental of access to enterprise security solutions on various forums and messaging platforms.
The emergence of services like EDR Testing-as-a-Service allows malicious actors to discreetly evaluate their malware against different endpoint detection and response (EDR) systems, thereby refining their attack strategies. This trend underscores the evolving tactics of cybercriminals and the need for continuous advancements in cybersecurity defenses.
In response to these developments, SentinelOne emphasizes the importance of robust security measures, including regular system updates, comprehensive monitoring, and employee awareness training to mitigate the risks associated with such sophisticated cyber threats.
